The democratization of IT has empowered users to choose best of breed Software as a Service (SaaS) applications that can drive efficiency and support business agility. While beneficial for business purposes, today’s rapidly scaling SaaS adoption renders security teams helpless in the face of overseeing this sprawl or governing it. As the number of applications used by organizations rises, so does SaaS-to-SaaS interconnectivity and the number of third-party integrations accelerated through the use of API tokens, OAuth third-party apps, SaaS marketplaces, and no/low code automated workflows. These integrations significantly expand supply chain access, as well as its corresponding risk and attack surfaces.
Security teams currently struggle with bridging the gap between alerts and mitigation of breaches, have limited visibility due to blind spots and lack of context, and focus only on monitoring human identities, leaving the growing number of non-human identities used for programmatic access and automated processes exposed to supply chain attacks. In just the past few months, we’ve witnessed three extraordinary attacks leveraging this growing risk vector.
As the dust of the Okta, MailChimp and GitHub breaches settles, organizations are experiencing a quick and brutal awakening to the fact that third-party interconnectivity is now a liability. Security teams and business leaders must attempt to resolve this dissonance in order to allow businesses to innovate and thrive while ensuring the keys to the kingdom are kept secure. There are crucial and practical steps that should be taken in order to proactively reduce risks associated with supply chains. This article briefly analyzes the three most recent attacks, illustrating the inherent risks of leaving your supply chain in the dark, and what should have been done to mitigate them.
March: The Okta Compromise
Following an extensive investigation, Okta executives disclosed that the infamous and malicious LAPSU$S group compromised the workstation of a Sitel engineer, a third-party vendor connected to Okta’s infrastructure. Potentially impacting hundreds of Okta customers, the attackers used the workstation which was logged into Okta’s customer support infrastructure to access Okta’s SuperUser application, used to configure Okta customer tenants — although, according to Okta, they were unsuccessful in implementing any configuration changes during this attack.
Hitting an industry soft spot, the Okta compromise sent waves of panic throughout the industry. As a core identity and access management (IAM) platform used by countless organizations, its high privilege access to business-critical applications within organizations increased concerns. Many organizations were distraught by the possibility that their Okta tenant was breached and questioned whether there were any attempts to leverage Okta’s trusted access to gain malicious unauthorized access to their applications. Taking control of their own internal security mechanisms, organizations implemented password rotations, multifactor authentication (MFA) resets, admin application programming interface (API) access tokens revocation and thorough audits and log reviews.
These remediation and protection measures were woefully overdue. Organizations should ensure that they have proper and continuous visibility and analysis of their configurations and activity logs, in order to help them be well prepared for such breaches, which will inevitably continue to destabilize supply chains in enterprises.
March: The MailChimp Breach
The company detected unauthorized access by attackers, gained by successfully conducting social engineering activities that targeted MailChimp employee accounts. The access to internal customer support and account administration tools allowed the attackers to access hundreds of MailChimp customer accounts and export data from them. Interestingly, many sources reported that the attackers were also able to access and abuse customer API keys that allowed them to launch phishing campaigns targeting the cryptocurrency and finance industries.
This attack illustrated the attackers’ sophistication and growing understanding that instead of using traditional access methods, they can amplify their capabilities by leveraging non-human identities to effectively scale their operations and remain undetected. Non-human or app-to-app integrations operate and act in the background, connecting through service accounts and are constantly ‘logged in’ and capitalized upon by malicious actors. Maintaining zero trust controls and least privilege access provisions on this rapidly expanding web of integrations is critical to ensure that tokens are not abused.
April: The GitHub Attack Campaign
GitHub identified indications of unauthorized access using stolen OAuth tokens, which were issued to two of its third-party vendors, Heroku (a Salesforce company) and Travis CI. Authenticating to the GitHub API using these stolen tokens, the attackers executed a highly targeted attack culminating in the downloading of dozens of private data repositories belonging to GitHub customers, including npm. GitHub suggested that the contents of these repositories could be used to allow the attackers to pivot into a much broader supply chain attack and gain access to additional infrastructure. With an understandable time gap between discovery, customer notification and remediation, attackers may have been able to rapidly expand their reach and carry out a wide supply chain attack.
It is clear that while GitHub’s SaaS application was not the source of the compromise, the lack of a continuously updated inventory of all existing third-party vendors and their access provisions (API keys, OAuth tokens, or other SaaS-to-SaaS integrations) is a significant handicap for rapid response and mitigation of attacks on third-party vendors. An informed incident response strategy must be based on information gleaned from the breached vendors, in order to ascertain whether the organization itself was impacted and assess the blast radius.
Trust You Must Manage
If 2022’s attack history is any indication, supply chain attacks leveraging SaaS-to-SaaS integrations are the vector of choice for malicious actors, and alarm bells should be ringing in every office, including the chief information security officers (CISOs) and the C-suite. Inevitably, the ever-expanding supply chain and use of third-party vendors will grow as SaaS users base the majority of their workloads, automated processes and trust on these non-human actors that drive transparency and interconnectivity. Attackers are also well aware of the benefits inherent in accessing these high-privileged backdoor keys to the kingdom and will continue to exploit them under the (un)watchful eye of security professionals. While remediation activities are crucial, protective measures including heightened visibility, management, proactive risk reduction and mitigation efforts should be incorporated into organizational security protocols.